chore: Merge branch 'main' into feat/boil-image-check-command

Author: Techassi

.github/workflows/patchable_pr.yaml

@@ -0,0 +1,67 @@
+---
+name: Build patchable
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/patchable_pr.yaml"
+      - "rust-toolchain.toml"
+      - "rust/patchable/**.rs"
+      - "Cargo.*"
+
+permissions:
+  contents: read
+
+env:
+  RUST_VERSION: 1.89.0
+
+jobs:
+  # This job is always run to ensure we don't miss any new upstream advisories
+  cargo-deny:
+    name: Run cargo-deny
+    runs-on: ubuntu-latest
+    # Prevent sudden announcement of a new advisory from failing CI
+    continue-on-error: ${{ matrix.checks == 'advisories' }}
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Run cargo-deny
+        uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15
+        with:
+          command: check ${{ matrix.checks }}
+
+  build:
+    name: Build patchable
+    needs:
+      - cargo-deny
+    strategy:
+      fail-fast: false
+      matrix:
+        targets:
+          - { target: aarch64-unknown-linux-gnu, os: ubuntu-24.04-arm }
+          - { target: x86_64-unknown-linux-gnu, os: ubuntu-latest }
+          - { target: aarch64-apple-darwin, os: macos-latest }
+    runs-on: ${{ matrix.targets.os }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921
+        with:
+          toolchain: ${{ env.RUST_VERSION }}
+          targets: ${{ matrix.targets.target }}
+
+      - name: Build Binary
+        env:
+          TARGET: ${{ matrix.targets.target }}
+        run: cargo build --target "$TARGET" --package patchable

.github/workflows/precompile_hadoop.yaml

@@ -0,0 +1,51 @@
+---
+name: Compile Hadoop
+run-name: |
+  Compile Hadoop (attempt #${{ github.run_attempt }})
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+    paths:
+      - precompiled/hadoop/**
+      # I don't think there's any reason to rebuild just because the workflow changed.
+      # If the version is compiled (for that patch set), then it needs no rebuild.
+      # - .github/actions/**
+      # - .github/workflows/precompile_hadoop.yaml
+      # - .github/workflows/reusable_build_image.yaml
+
+permissions: {}
+
+jobs:
+  # This is a separate job so that it remains consistent if a rerun of failed jobs is needed.
+  # It is used in place of the "sdp-version" passed to the build action.
+  generate_build_timestamp:
+    name: Generate unix timestamp
+    runs-on: ubuntu-latest
+    steps:
+      - shell: bash
+        id: unix_timestamp
+        run: |
+          set -euo pipefail
+          UNIX_TIMESTAMP=$(date +%s)
+          echo "unix_timestamp=$UNIX_TIMESTAMP" | tee -a "$GITHUB_OUTPUT"
+    outputs:
+      unix_timestamp: ${{ steps.unix_timestamp.outputs.unix_timestamp }}
+
+  build_image:
+    name: Reusable Workflow
+    uses: ./.github/workflows/reusable_build_image.yaml
+    needs: [generate_build_timestamp]
+    secrets:
+      harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_PRECOMPILED_GITHUB_ACTION_BUILD_SECRET }}
+      slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }}
+    permissions:
+      # Needed for cosign (sign and attest)
+      id-token: write
+      # Needed for checkout
+      contents: read
+    with:
+      product-name: hadoop
+      sdp-version: ${{ needs.generate_build_timestamp.outputs.unix_timestamp }}
+      registry-namespace: precompiled

.github/workflows/reusable_build_image.yaml

@@ -146,6 +146,8 @@ jobs:
     name: Failure Notification
     needs: [generate_version_dimension, build, publish_manifests]
     runs-on: ubuntu-latest
+    # TODO (@NickLarsenNZ): Allow a condition from input so that we can always
+    # be notified of new builds for precompiled product images.
     if: failure() || (github.run_attempt > 1 && !cancelled())
     steps:
       - name: Send Notification

CHANGELOG.md

@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Added
+
+- hadoop: Add precompiled hadoop for later reuse in dependent images ([#1466]).
+- nifi: Add version `2.9.0` ([#1463]).
+
 ### Changed
 
 - hbase: Update `hbase-opa-authorizer` from `0.1.0` to `0.2.0` and then `0.3.0` ([#1446], [#1454]).
@@ -17,6 +22,8 @@ All notable changes to this project will be documented in this file.
 [#1452]: https://github.com/stackabletech/docker-images/pull/1452
 [#1453]: https://github.com/stackabletech/docker-images/pull/1453
 [#1454]: https://github.com/stackabletech/docker-images/pull/1454
+[#1463]: https://github.com/stackabletech/docker-images/pull/1463
+[#1466]: https://github.com/stackabletech/docker-images/pull/1466
 
 ## [26.3.0] - 2026-03-16
 

Cargo.lock

@@ -12,13 +12,13 @@ cap-std = "4.0.2"
 clap = { version = "4.5.41", features = ["derive"] }
 clap_complete = "4.5.55"
 clap_complete_nushell = "4.5.8"
-git2 = { version = "0.20.1", features = ["vendored-openssl"] }
+git2 = "0.20.1"
 glob = "0.3.2"
 oci-spec = "0.9.0"
 reqwest = { version = "0.13.2", features = ["json"] }
 rstest = "0.26.1"
 secrecy = "0.10.3"
-semver = { version = "1.0.26", features = ["serde"] }
+regex = "1.12.3"
 serde = { version = "1.0.217", features = ["derive"] }
 serde_json = "1.0.140"
 snafu = "0.9.0"

Cargo.toml

@@ -12,7 +12,7 @@ ARG STACKABLE_USER_UID
 
 # Find the latest version here: https://github.com/apache/maven/releases
 # renovate: datasource=github-tags packageName=apache/maven
-ARG MAVEN_VERSION="3.9.11"
+ARG MAVEN_VERSION="3.9.14"
 
 # See: https://adoptium.net/en-gb/installation/linux/#_centosrhelfedora_instructions
 RUN cat <<EOF > /etc/yum.repos.d/adoptium.repo

java-devel/Dockerfile

@@ -10,7 +10,7 @@ java-devel = "11"
 git-sync-version = "v4.4.1"
 # Check for new versions at the upstream: https://github.com/stackabletech/nifi-opa-plugin/tags
 # Checkout a Patchable version (patch-series) for the new tag
-nifi-opa-authorizer-plugin-version = "0.4.0"
+nifi-opa-authorizer-plugin-version = "0.5.0"
 
 [versions."2.6.0".local-images]
 java-base = "21"
@@ -21,7 +21,7 @@ java-devel = "21"
 git-sync-version = "v4.4.1"
 # Check for new versions at the upstream: https://github.com/stackabletech/nifi-opa-plugin/tags
 # Checkout a Patchable version (patch-series) for the new tag
-nifi-opa-authorizer-plugin-version = "0.4.0"
+nifi-opa-authorizer-plugin-version = "0.5.0"
 
 # Release a new version here: https://github.com/stackabletech/nifi-iceberg-bundle
 # Checkout a Patchable version (patch-series) for the new tag
@@ -36,4 +36,15 @@ java-devel = "21"
 git-sync-version = "v4.4.1"
 # Check for new versions at the upstream: https://github.com/stackabletech/nifi-opa-plugin/tags
 # Checkout a Patchable version (patch-series) for the new tag
-nifi-opa-authorizer-plugin-version = "0.4.0"
+nifi-opa-authorizer-plugin-version = "0.5.0"
+
+[versions."2.9.0".local-images]
+java-base = "21" # As stated in GitHub README
+java-devel = "21"
+"shared/logback" = "1.5.32" # https://github.com/apache/nifi/blob/rel/nifi-2.9.0/pom.xml#L171
+
+[versions."2.9.0".build-arguments]
+git-sync-version = "v4.4.1"
+# Check for new versions at the upstream: https://github.com/stackabletech/nifi-opa-plugin/tags
+# Checkout a Patchable version (patch-series) for the new tag
+nifi-opa-authorizer-plugin-version = "0.5.0"

nifi/boil-config.toml

@@ -0,0 +1,2 @@
+mirror = "https://github.com/stackabletech/nifi-opa-plugin.git"
+base = "e544db52f445c449f97d809441079b04b5cb1a0b"

nifi/opa-plugin/stackable/patches/0.5.0/patchable.toml

@@ -0,0 +1,21 @@
+From d4f0275b86729bd28d83f8d4b28166c827a3385a Mon Sep 17 00:00:00 2001
+From: Nick Larsen <nick.larsen@stackable.tech>
+Date: Mon, 17 Feb 2025 17:26:20 +0100
+Subject: no zip assembly
+
+---
+ nifi-assembly/pom.xml | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml
+index 60250bd60e..d49fe6d0d9 100644
+--- a/nifi-assembly/pom.xml
++++ b/nifi-assembly/pom.xml
+@@ -66,7 +66,6 @@ language governing permissions and limitations under the License. -->
+                             <tarLongFileMode>posix</tarLongFileMode>
+                             <formats>
+                                 <format>dir</format>
+-                                <format>zip</format>
+                             </formats>
+                         </configuration>
+                     </execution>